High availability transport protocol method and apparatus

ABSTRACT

A system and method supporting efficient, scalable stateful switchover of transport layer connections in a telecommunications network element. One method involves receiving, at a network element comprising an active transport protocol process coupled to a standby protocol process, a request to configure a first transport layer connection maintained at the active transport protocol process for stateful switchover; receiving an event associated with the first transport layer connection; creating a message containing replicated event information based on the received event; sending the message to the standby transport protocol process; and processing the message at the standby transport protocol process, wherein the standby transport protocol process replicates state information for the first connection.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is related to co-pending, commonly assigned applicationSer. No. 10/808,040, filed Mar. 24, 2004, entitled “Routing system andmethod for transparently recovering routing states after a failover orduring a software upgrade,” of Chandrashekhar Appanna et al., and toco-pending, commonly assigned application Ser. No. 10/948,732, filedSep. 22, 2004, entitled “Cooperative TCP/BGP Window Management ForStateful Switchover,” of Chandrashekhar Appanna et al.

FIELD OF THE INVENTION

The present invention generally relates to providing high availabilityor fault-tolerant transport layer connections in telecommunicationnetworks. The invention relates more specifically to approaches forsupporting reliable and efficient switchover of Transport ConnectionProtocol (TCP) connections in routers and switches without interferingwith network routing and switching operations.

BACKGROUND

The approaches described in this section could be pursued, but are notnecessarily approaches that have been previously conceived or pursued.Therefore, unless otherwise indicated herein, the approaches describedin this section are not prior art to the claims in this application andare not admitted to be prior art by inclusion in this section.

Border Gateway Protocol (BGP) is a path vector routing protocol forinter-Autonomous System routing. The function of a BGP-enabled networkelement (a BGP host or peer) is to exchange network reachabilityinformation with other BGP-enabled network elements. The most commonlyimplemented version of BGP is BGP-4, which is defined in RFC1771(published by the Internet Engineering Task Force (IETF) in March 1995).

To exchange routing information, two BGP hosts first establish a peeringsession by exchanging BGP OPEN messages. The BGP hosts then exchangetheir full routing tables. After this initial exchange, each BGP hostsends to its BGP peer or peers only incremental updates for new,modified, and unavailable or withdrawn routes in one or more BGP UPDATEmessages. A route is defined as a unit of information that pairs anetwork destination with the attributes of a network path to thatdestination. The attributes of the network path include, among otherthings, the network addresses (also referred to as address prefixes orjust prefixes) of the computer systems along the path. In a BGP host,the routes are stored in a Routing Information Base (RIB). Depending onthe particular software implementation of BGP, a RIB may be representedby one or more routing tables. When more than one routing tablerepresents a RIB, the routing tables may be logical subsets ofinformation stored in the same physical storage space, or the routingtables may be stored in physically separate storage spaces.

As networks grow more complex and the number of BGP routes maintained bya particular element increases, the consequences of the failure of a BGPhost device, or the BGP process that it hosts, become more severe. Forexample, in some scenarios a BGP failure may require retransmission of alarge amount of route information and re-computation of a large amountof network reachability information. Therefore, vendors of network gearand their customers wish to deploy BGP in a fault-tolerant manner.

BGP commonly runs on and uses the Transmission Control Protocol (TCP) asdefined in RFC 793, which provides a connection-oriented, reliable datadelivery service for applications such as BGP. Having highly available,reliable TCP connections that can be switched over in the face offailure is a foundation requirement for providing BGP with highavailability.

Highly reliable networks offer high availability by detecting failuresand handling the failures in a timely manner with zero or minimaldisruption of service. Redundant systems that have at least onesecondary processor are often used to achieve high reliability. When thesecondary processor is synchronized to the primary processor, and cantake over with almost no visible interruption to peer devices, thesecondary processor is termed a “hot standby” and the switchover istermed “stateful switchover” or SSO.

SSO can be implemented in a telecommunication network with networkelements that have dual route processors, each of which can hostseparate but duplicate instances of various software applications. Oneroute processor is deemed Active and the other is deemed Standby. Whenthe processors are operating in SSO mode, the active route processorautomatically replicates all messages that it receives or sends, for allprotocols or activities, and sends the replicated messages to thestandby route processor.

In some embodiments, the active route processor periodically sends abulk copy of data representing a particular state (a “checkpoint”) tothe standby route processor. While replication and checkpointing enablethe standby route processor to achieve synchronization of state with theactive route processor, these approaches require considerable use ofprocessing resources and memory, and require extensive use of aninter-processor communication mechanism. When a route processor ismanaging a large number of BGP sessions and TCP connections, the burdenof continually operating in SSO mode may become unacceptable.

As networks grow larger and more complex, network reliability andthroughput depends to a greater extent upon the availability of softwareprocesses that implement BGP. For example, when a BGP host becomesunavailable, many other BGP peers may need to re-compute routeinformation to account for the unavailability. Other hosts may lose BGPconnectivity during the transition. Thus, present approaches forupgrading BGP software to support new features in large networks causesignificant network churn. Network administrators are demanding a bettersolution that does not perturb the network.

Moreover, BGP is merely one example of an application for which highavailability is desirable; there are many other applications. BGP andother applications running on top of transport-layer protocols, such asTCP, would benefit greatly from a solution providing true SSO for theTCP connections, achieved in a scalable manner.

Further, users and administrators expect any SSO support for TCP toprovide a solution that performs well and scales to large networks thatuse existing and future platforms without major hardware upgrades.

One approach for providing high-availability TCP involves massive datacheckpointing of send and receive windows and related metadata for allestablished TCP connections. While this approach does allow active andstandby processors to maintain identical TCP state information, it is a“brute-force” approach that requires extensive CPU resources. Networkadministrators desire to have a more efficient approach that is readilyscalable to large numbers of connections.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example, and not by wayof limitation, in the figures of the accompanying drawings and in whichlike reference numerals refer to similar elements and in which:

FIG. 1A is a block diagram that illustrates an overview of a networkelement that may be used to implement an embodiment;

FIG. 1B is a block diagram showing example functional elements in a TCPhigh availability process;

FIG. 2A is a flow diagram that illustrates a high level overview of oneembodiment of a method for providing high-availability transport layerconnections;

FIG. 2B is a block diagram showing the use of a peer signaling layer forcommunicating events among active and standby TCP layers;

FIG. 3, FIG. 4, and FIG. 5 are flow diagrams that illustrate details ofone embodiment of a method for providing high-availability transportlayer connections;

FIG. 6 is a block diagram that illustrates a computer system upon whichan embodiment may be implemented.

DETAILED DESCRIPTION

A high availability transport protocol method and apparatus aredescribed. In the following description, for the purposes ofexplanation, numerous specific details are set forth in order to providea thorough understanding of the present invention. It will be apparent,however, to one skilled in the art that the present invention may bepracticed without these specific details. In other instances, well-knownstructures and devices are shown in block diagram form in order to avoidunnecessarily obscuring the present invention.

Embodiments are described herein according to the following outline:

-   -   1.0 General Overview    -   2.0 Structural and Functional Overview    -   3.0 Example Implementation of High Availability Transport        Protocol Method and Apparatus        -   3.1 State Replication        -   3.2 Setting Up And Synchronizing New Connections        -   3.3 Processing Send Window Values        -   3.4 Initial Synchronization Of Standby Tcp Module        -   3.5 State Tracking And Verification        -   3.6 Post-Switchover Processing        -   3.7 Benefits Of Certain Embodiments    -   4.0 Implementation Mechanisms—Hardware Overview    -   5.0 Extensions and Alternatives        1.0 General Overview

The needs identified in the foregoing Background, and other needs andobjects that will become apparent for the following description, areachieved in the present invention, which comprises, in one aspect, amethod comprising receiving, at a network element comprising an activetransport protocol process coupled to a standby protocol process, arequest to configure a first transport layer connection maintained atthe active transport protocol process for stateful switchover; receivingan event associated with the first transport layer connection; creatinga message containing replicated event information based on the receivedevent; sending the message to the standby transport protocol process;and processing the message at the standby transport protocol process,and the standby transport protocol process replicates state informationfor the first connection.

According to one feature, the active transport protocol process and thestandby transport protocol processes implement transmission controlprotocol (TCP). In another feature, the message is sent from the activetransport protocol process to the standby transport protocol processusing a peer signaling layer, and the message is not communicated to oneor more logically lower protocol layers.

In another feature, the event comprises a TCP SYN segment; the activetransport protocol process completes establishment of the firstconnection without informing the standby transport protocol process,creates a copy of a TCP control block, places the TCP control block copyin the event message; and the standby transport protocol process createsa second connection that replicates the first transport layer connectionand uses the TCP control block copy.

In yet another feature, the active transport protocol process furtherperforms one or more security checks on the TCP SYN segment, and theactive transport protocol process sends the event message only if theTCP SYN segment passes the one or more security checks. In still anotherfeature, the first transport protocol connection is configured not toperform send window checkpointing, and the active transport protocolprocess creates and sends, to the standby transport protocol process, aTCP segment with a valid header, correct length, and dummy data.

In still another feature, the method further comprises receiving arequest for state verification, testing whether one or more state valuesmaintained by the active transport protocol process for the firsttransport protocol connection match one or more corresponding statevalues that are maintained by the standby transport protocol process fora replica of the first transport protocol connection, and performing aresponsive action when no match occurs.

In another feature, in response to a switchover, the standby transportprotocol process processes all pending events associated with all activeconnections, resets all timer values associated with the connections,and resets all option values associated with the connections beforebecoming active.

In other aspects, the invention encompasses a computer apparatus and acomputer-readable medium configured to carry out the foregoing steps.

2.0 Structural and Functional Overview

FIG. 1A is a block diagram that illustrates an overview of a networkelement that may be used to implement an embodiment. A network element100 comprises an active route processor 102A and a standby routeprocessor 102B arranged in a redundant or fault-tolerant configuration.In one embodiment, network element 100 is a dual-processor router orswitch that participates in a packet-switched network or internetwork.Active route processor 102A hosts a TCP module 108A that runs orcontrols a TCP high-availability (HA) process 106A and a BGP application104A. Standby route processor 102B hosts a TCP module 108B, BGPapplication 104B, and TCP HA process 106B.

TCP modules 108A, 108B and TCP HA processes 106A, 106B provide transportcontrol protocol functionality. BGP application 104A, 104B provideborder gateway protocol functionality. In alternative embodiments,active route processor 102A and standby route processor 102B may hostother protocols and applications. Thus, TCP modules 108A, 108B, TCP HAprocesses 106A, 106B, and BGP application 104A, 104B are shown only asexamples and not as requirements.

An inter-process communication (IPC) service 110 is coupled betweenactive route processor 102A and standby route processor 102B, andprovides a means for the route processors to exchange data andinstructions.

In one embodiment, network element 100 is implemented as one of theCisco 10000 Series Routers, commercially available from Cisco Systems,Inc. Alternatively, network element could be a Cisco CRS-1 CarrierRouting System. The arrangement of FIG. 1A represents just one possiblecontext for applying the approaches described herein.

The approaches herein provide an architecture comprising multipletechniques to achieve SSO for TCP connections that will perform andscale well on current and future router platforms without requiringspecial hardware assistance. Generally, the adaptive TCP SSOarchitecture proposed herein implements a high availability TCP modulethat will extract the events necessary for providing SSO functionalityfor TCP connections based on system behavior and then signal the eventsto a standby TCP module. The standby TCP module uses the events torecreate state data that is identical in form and function to the statedata at the active TCP module. Applications that use or run on TCPconnections also participate in certain respects. With this approach, ascalable, efficient and useful TCP SSO support implementation is madepossible by providing an architecture that can adapt to the needs of TCPapplications, and can be tuned based on application needs and strengths.

FIG. 1B is a block diagram showing example functional elements in a TCPhigh availability process, such as TCP high availability process 106A ofFIG. 1A. In one embodiment, TCP high availability process 106A comprisesstate replication logic 120, connection marking logic 122, newconnection processing logic 124, send window checkpoint logic 125,initial synchronization logic 126, post-switchover logic 128, and peersignaling logic 130. The foregoing elements may be implemented as one ormore sequences of computer program instructions, or other softwareelements, for implementing the functions described herein. Specificlogical functions are described in succeeding sections.

FIG. 2A is a flow diagram that illustrates a high level overview of oneembodiment of a method for providing high-availability transport layerconnections. FIG. 2B is a block diagram showing the use of a peersignaling layer for communicating events among active and standby TCPlayers. Referring first to FIG. 2A, in one embodiment the active TCPmodule 108 a of FIG. 1A first identifies an event associated withsupporting TCP stateful switchover. Events may include receiving certainkinds of TCP segments, receiving information relating to applicationbehavior or system behavior, etc.

At step 204, the active TCP module creates a message containing eventinformation. The message created at step 204 comprises, for example,information that the standby TCP module needs to replicate stateinformation that is equivalent to state maintained at the active TCPmodule.

At step 206, the message created at step 204 is sent to the standby TCPmodule. At the standby TCP module 108B, the event message is received atstep 208. The standby TCP module 108B then processes the event messageto recreate state information at the standby TCP module. The recreatedstate information is equivalent to state information maintained by theactive TCP module. However, the approach of FIG. 2A does not requirecheckpointing all data that is actually carried in TCP segments that arereceived at the active TCP module 108A as part of an established TCPconnection. Therefore, the present approach achieves far greaterefficiency and scalability than past approaches.

In one embodiment, messages created at step 204 are sent at step 206from one transport layer module hosted by an active route processordirectly to a transport layer module hosted by a standby routeprocessor, without passing down other stack layers. Referring now toFIG. 2B, when an implementation is structured according to theseven-layer Open Systems Interconnect (OSI) model of network software,the active TCP module 108A of FIG. 1 may reside conceptually at thetransport layer 212A and a TCP peer signaling layer 214A may be coupledto the transport layer. The TCP peer signaling layer 214A establishes amessaging connection directly to a counterpart peer signaling layer 214Bassociated with a transport layer 212B of a standby processor. Theactive TCP module 108A can send messages directly to a standby TCPmodule 108B through the TCP peer signaling layers 214A, 214B withouttraversing lower layers such as network layer 216A (which may implementIP), data link layer 218A, or physical layer 220A.

In the approach of FIG. 2A, TCP connection data as received “on thewire” at the active TCP module 108A serves as a primary driver forgenerating state information in a TCP state machine for a connection onthe standby TCP module 108B. In an embodiment, all connection data isreplicated at the active TCP module 108A, sent to the standby TCP module108B, and processed by the TCP state machine of the standby TCP moduleas if the data came from the wire directly to the standby TCP module.This approach exploits the observation that two TCP stacks that are RFCcompliant must produce the same end state given the same packet inputs.The peer-to-peer signaling mechanism transfers packets or events intothe TCP state machine on the standby TCP module without involving lowerlayers.

Further, in one embodiment, higher-layer TCP applications hosted at thestandby route processor can read packets as if the packets are arrivingon the connection from the wire. Each TCP connection represented on thestandby TCP module is maintained in a read-only mode, i.e., applicationscannot write packets into the connection or send TCP segments using theconnection.

While certain embodiments are described herein in the context of TCP,the broad approaches herein apply to other transport layer protocols,such as Stream Control Transmission Protocol (SCTP). Certain embodimentsare useful in the context of performing non-stop routing processes. Suchprocesses are described, for example, in co-pending application Ser. No.10/808,040, filed Mar. 24, 2004, entitled “Routing system and method fortransparently recovering routing states after a failover or during asoftware upgrade,” of Chandrashekhar Appanna et al.

The approaches provided herein can support failover of passive openconnections, which are TCP connections originating from another BGPpeer. The approaches herein also support failover of active openconnections, which are TCP connections originating from a particular BGPpeer that implements the approaches herein. The approaches herein canhandle asymmetric startup, which occurs when a secondary processorinitiates operation or is added after a primary process initializes andestablishes TCP connections with a peer.

3.0 Example Implementation of High Availability Transport ProtocolMethod and Apparatus

An example implementation of a high availability transport protocolmethod is now described with reference to FIG. 3, FIG. 4, and FIG. 5,which are flow diagrams that illustrate details of one embodiment of amethod for providing high-availability transport layer connections.

3.1 State Replication

TCP is a stateful protocol that provides reliable datagram delivery,flow control, and congestion control for higher-order applications. Toprovide these services, a TCP implementation maintains state data thatincludes variables, such as window sizes, round trip time, etc.; are-transmission queue containing copies of segments that have been sentbut not yet acknowledged; and timers. A successful switchover to asecondary processor of TCP requires timely synchronization of such statedata to the secondary processor.

Applications that run on transport layer connections may initiate thecreation of replicated connection state information in the followingmanner. Referring to FIG. 3, at step 302, an application determines thata specified connection should have stateful switchover (SSO) treatment.At step 304, the application initiates a function call to an API exposedby a TCP high availability process, such as TCP high availabilityprocess 106A, and requests TCP to configure a particular connection forSSO. In the API call the application may provide information identifyinga connection, such as a five-tuple of flow parameters. In response, theTCP high availability process configures the requested connection forSSO treatment. Such configuration may include setting a property valuein a data structure that stores connection properties for a particularTCP connection, marking the connection in a table, storing flowparameters in a table having entries only for SSO connections, etc. Anapplication may also maintain information at the application layerindicating that particular underlying connections are SSO configured.

At step 310, the active TCP module receives a TCP segment for aparticular connection. At step 312, the active TCP module determineswhether the particular connection is configured for SSO. Step 312 may beimplemented as a filter in the packet input path, such that only packetsfor SSO connections are replicated reliably to the standby TCP module.

If the particular connection is not SSO configured, then normal TCPprocessing is performed at step 314, and the standby TCP module neverbecomes involved. If SSO configuration is indicated, then at step 316, acopy of the packet is created, and at step 318 a message containing thepacket copy is sent to the standby TCP module. The TCP peer signalinglayer 214A, 214B may be used for such messaging. Upon receiving themessage, the standby TCP module processes the packet using its TCP statemachine, resulting in creating equivalent state at the standby TCPmodule.

In an embodiment, messages sent on peer signaling layer 214A, 214B aretagged with message type values to differentiate messages containingsegments received for an existing SSO connection and for a newconnection. For example, the message type “TCP_HA_PKT” may designate aTCP packet or segment received for an existing SSO connection, and themessage type “TCP_HA_NEW_CONN” may designate a segment associated with anew connection, for which ISN synchronization is required. Othermessages to verify, clear, query, and support asymmetric startup may bedefined.

Thus, in the approach of FIG. 3, an application such as BGP can specifywhether a connection is highly available or not. Only for connectionsthat are marked highly available, packets are cloned and sent to thestandby TCP module. Replication and communication of the packets occursat the transport protocol level. This approach ensures that the inboundpacket runs through the standby state machine and is synchronized withthe active TCP module state machine.

The approach of FIG. 3 represents an improvement over brute-force datacheckpointing approaches, because TCP state changes for every processedpacket, and checkpointing each and every state change may requireexcessive use of inter-process communication (IPC) resources. Further,with checkpointing approaches, synchronization becomes difficult forhighly different or divergent versions of the TCP software. Moreover, acheckpointing approach cannot result in modifying all local variablesthat are maintained internally by the standby TCP module.

State replication logic 120 of FIG. 1B can implement the process of FIG.3 as described above.

3.2 Setting Up and Synchronizing New Connections

According to one embodiment, special processing is performed to set upand synchronize the standby TCP module when the active TCP modulereceives segments associated with establishing one or more new TCPconnections. In particular, special processing is performed to result insynchronization of TCP initial sequence number (ISN) values at both theactive TCP module and standby TCP module.

To provide such synchronization, peer-peer packet replication cannot beperformed without considering the contents of the packets. A TCP peerindependently selects the ISN for a connection. Therefore, if the activeTCP module simply sends the standby TCP module every SYN packet that isreceived from a peer, the active TCP module and standby TCP module willselect different ISN values. In such an approach, a switchover to thestandby TCP module would result in non-recoverable loss ofsynchronization between the standby TCP module and the peer.

Referring now to FIG. 4, at step 402, the active TCP module receives aTCP segment for a particular connection. At step 404, the active TCPmodule determines whether the particular connection is configured forstateful switchover. If not, then in step 406 normal TCP processing isperformed.

If the particular connection is configured for SSO, then at step 408,the active TCP module determines whether it has received a SYN segmenton the particular connection. According to RFC 793, which defines TCP, aSYN segment is associated with initiating a new connection. If a SYNsegment was not received, then the active TCP module performs steps 410to step 414. At step 410, the packet containing the segment is copied.At step 412, the packet copy is encapsulated in a TCP peer-to-peersignaling message, and sent to the standby TCP module. The standby TCPmodule processes the packet as if it received the packet over the wirein a real connection, thereby duplicating state information held by theactive TCP module.

If the active TCP module has received a SYN segment, then steps 416 to426 are performed. At step 416, the active TCP module completes aconventional three-way handshake message exchange with the peer TCPprocess, without informing the standby TCP module, and withoutreplicating packets and segments involved in the handshake or sendingsuch packets or segments to the standby TCP module. Thus, at step 416 anew connection may reach the ESTABLISHED state defined in RFC 793without involvement of the standby TCP module and without replication ofstate at the standby TCP module.

Optionally, at step 420, one or more security checks may be performed.For example, the security checks may test for the presence of SYN floodattacks. If such an attack is identified, it may be suppressed andremaining steps may be skipped without informing the standby TCP module.

At step 418, the active TCP module creates a copy of the TCP controlblock (TCB) that the active TCP module has created and is maintainingfor the new connection resulting from completing the handshake at step416. The TCB is packaged in an event message.

At step 422, the current TCP connection is frozen at the active TCPmodule. Freezing a connection may involve marking the connection astemporarily unavailable at the active TCP module. Freezing a connectionprevents the TCP state machine of the active TCP module from changingstate while the process of FIG. 4 is transferring the TCB for theconnection to the standby TCP module, so that the TCB at the active TCPmodule and a copy received at the standby TCP module reflect the samestate.

At step 424, the active TCP module sends the TCB copy to the standby TCPmodule. At step 426, the standby TCP module creates a duplicate or cloneconnection based on the received TCB. After performing step 426, thestandby TCP module has created a connection and associated datastructure equivalent to the new connection at the active TCP module. Theactive TCP module then can unfreeze the connection and continueprocessing segments associated with the connection. The techniques forstate replication described above for FIG. 3 are then used to maintainequivalent state at the active TCP module and standby TCP module.

Thus, in the approach of FIG. 4, whenever a new connection isestablished, only the active TCP module selects an ISN value, and theactive TCP module then informs the standby TCP module about the selectedISN by providing a replica of the initial TCP control block for theconnection. During the transfer the TCP connection is frozen, to preventthe active TCP module from performing any further changes in state data.The standby TCP module does not generate the ISN, and after switchover,the standby TCP module uses the ISN contained in a previous message fromthe active TCP module for processing subsequent segments that arereceived from the peer.

In one embodiment, only connections that pass one or more securitychecks are transferred to the standby TCP module.

New connection processing logic 124 can implement the processes of FIG.4 as described above.

3.3 Processing Send Window Values

The approach herein allows an application to specify whether TCP sendwindow values should be periodically checkpointed to the standby TCPmodule. Many applications can do not require send window checkpointing.For these applications, in the approach herein, only informationindicating an event, such as reception of a packet, is passed from theactive TCP module to the standby TCP module.

Referring now to FIG. 5, after either step 316 of FIG. 3 or step 416 ofFIG. 4, a test is performed to determine whether the current connectionis configured for checkpointing send window values, as shown by step502. If so, then at step 508, the active TCP module creates an exactcopy of a received TCP segment including actual data as received fromthe peer. At step 506, the TCP segment copy is sent to the standby TCPmodule. The standby TCP module passes the received segment copy throughits state machine, resulting in creating equivalent send window valuesand state. This alternative is appropriate only if enough IPC bandwidthis available for transmitting all the data.

Alternatively, if send window checkpointing is not configured, then atstep 504 the active TCP module creates a TCP segment copy having avalid, replicated header and correct segment length based on the dataincluded in the original segment, but containing dummy data. The segmentis sent to the standby TCP module at step 506.

The standby TCP module passes the received segment copy through itsstate machine, resulting in creating equivalent send window values andstate, without data or state checkpointing. Other techniques forprocessing dummy data are described in co-pending application Ser. No.10/948,732, filed Sep. 22, 2004, entitled Cooperative TCP/BGP WindowManagement For Stateful Switchover, of Chandrashekhar Appanna et al.

With this approach, applications can select whether to implement sendwindow checkpointing. Thus, the system architecture and methods providedherein are adaptive to the needs of applications.

Applications are expected to be able to fill any holes in the TCP sendwindow after a switchover if and only if there is need for aretransmission. Further, in one embodiment, the active TCP module doesnot fragment application protocol data units (PDUs), which ensures thatsend windows will synchronize after switchover. In an embodiment,multiple messages may be grouped and Nagle's algorithm may beimplemented, but without fragmentation.

Send window checkpoint logic 125 of FIG. 1B can implement the functionsdescribed above.

3.4 Initial Synchronization of Standby TCP Module

In one embodiment, special processing steps are performed when a standbyTCP module initiates operation. For example, the standby TCP modulecontacts the active TCP module using TCP peer signaling layers 214B,214A to request and receive all state data for all SSO-enabledconnections that are then currently maintained on the active TCP module.As described above, applications running on TCP specify when certain TCPconnections are SSO enabled. Further, the active TCP module triggerssuch applications to perform follow-up processing for active connectionswhen the standby TCP module initiates operation. For example, the activeTCP module may inform a BGP application by invoking callback functionsto indicate that the TCP processing involved in synchronization for aparticular TCP connection or TCB is complete.

In one embodiment, initial synchronization logic 126 enablesapplications to group and optimize the order in which SSO is enabled onTCP connections. No particular order is required, and an asynchronousevent can be used for enabling SSO.

Initial synchronization logic 126 of FIG. 1B can implement the functionsdescribed above.

3.5 State Tracking and Verification

Some applications can benefit from mechanisms for retrieving currentstate information for the purpose of tracking and verifying states of aTCP state machine, or for retrieving certain data values that the TCPmodules use internally. Such verification also provides a way todetermine whether communication across the peer-to-peer signaling layeris reliable—that is, to determine whether the standby TCP module isreceiving correct data from the active TCP module.

In one embodiment, TCP high availability process 106A providesmechanisms for applications seeking real-time state verification. Forexample, in one embodiment, state replication logic 120 includesinstructions for periodically checking that the states at the active TCPmodule and standby TCP module are identical. As one example, the valuesof TCP state variables such as sndwnd, snduna, rcvnxt, rcvwnd arecompared, and an error is thrown if the values are not identical.Alternatively, an auto-recovery process can be initiated; thus,detecting that endpoints of a connection are out of synchronization cantrigger recovery. Further, timer values may be compared within atolerable skew amount. Application-specific values also may be checked.

In one embodiment, the interval during which such checks are performedis programmable. For example, an interval configuration value mayspecify that the foregoing state verification checks are performed aftera specified number of packets, where the specified number of packets ischosen by the application. In one embodiment, verification checking isnot enabled by default, but an application can enable verificationchecking on a per connection basis. This approach provides logic usefulfor debugging and fault recovery.

In still another embodiment, TCP high availability process 106A providesan API with a function that enables an application, such as BGP, todetermine the sizes of any dummy packets that are in the send queue ofthe standby TCP module. With this information, the BGP application cangenerate packets of the same size and provide them to TCP fortransmission. The standby TCP module then recreates the send queue usingthe provided packets. This approach ensures that if a receiving peer hasany logical holes in its receive window, the window can be filledwithout problems.

3.6 Post-Switchover Processing

“Switchover” refers to a transfer of primary TCP segment processingcontrol from the active TCP module to the standby TCP module. In oneembodiment, after a switchover, to ensure ordered processing of TCPsegments, the new active TCP module processes all pending events beforeactually becoming active and able to accept new segments. Pending eventsmay include, for example, pending input packets that were received atthe former active TCP module, but not replicated and sent to the formerstandby TCP module, at the time that the switchover occurred.

Further, in an embodiment, timers that are conventionally maintained inTCP implementations, such as the retransmission timer, give up timer,delayed ACK timer, etc., are reset to default values. This approach isbased on the insight that corresponding timers at the active TCP moduleand the standby TCP module may inevitably lose synchronization due todifferences in the accuracy of the clocks of the different CPUs thathost the modules, but that TCP peers will adapt to changes if suchvalues are reset. The only impact of restoring the default values is toextend the occurrence of some event by milliseconds, while not affectinglong term average processing time.

In another embodiment, values for certain TCP options are cleared. Forexample, the SACK feature maintains state such as SACK blocks. However,because such features are optimization options for TCP, the informationcan be cleared at switchover without serious consequences. For example,the result of clearing SACK blocks is to cause the new active TCP moduleto drop SACK blocks for the few packets that were being processed;thereafter, SACK processing restarts for new packets. This approach alsoensures that the standby TCP module can properly interface with the BGPpeer when the peers have different software versions or operating systemversions.

The foregoing features allow for active TCP module to eliminate asignificant amount of checkpointing, without detectable harm over aperiod of more than a few packets.

3.7 Benefits of Certain Embodiments

Through these approaches, an embodiment uses intelligent techniques atthe TCP level to achieve transparent failover of TCP connections. Theseapproaches provide a foundation for supporting TCP applications, such asBGP, with high availability. The approaches avoid brute forcecheckpointing, and use intelligent techniques that are applied at theTCP level. The peer-to-peer signaling layer provides fastercommunication of replicated state data, and enables an implementation tore-use the IP header and the datalink layer header of a packet. As aresult, efficient packet cloning is provided. In contrast, otherapproaches employ excessive checkpointing for both send and receivestate machine values, these approaches are difficult to scale, and theyrequire sophisticated hardware assistance.

4.0 Implementation Mechanisms—Hardware Overview

FIG. 6 is a block diagram that illustrates a computer system 600 uponwhich an embodiment of the invention may be implemented. The preferredembodiment is implemented using one or more computer programs running ona network element such as a router device. Thus, in this embodiment, thecomputer system 600 is a router.

Computer system 600 includes a bus 602 or other communication mechanismfor communicating information, and a processor 604 coupled with bus 602for processing information. Computer system 600 also includes a mainmemory 606, such as a random access memory (RAM), flash memory, or otherdynamic storage device, coupled to bus 602 for storing information andinstructions to be executed by processor 604. Main memory 606 also maybe used for storing temporary variables or other intermediateinformation during execution of instructions to be executed by processor604. Computer system 600 further includes a read only memory (ROM) 608or other static storage device coupled to bus 602 for storing staticinformation and instructions for processor 604. A storage device 610,such as a magnetic disk, flash memory or optical disk, is provided andcoupled to bus 602 for storing information and instructions.

A communication interface 618 may be coupled to bus 602 forcommunicating information and command selections to processor 604.Interface 618 is a conventional serial interface such as an RS-232 orRS-422 interface. An external terminal 612 or other computer systemconnects to the computer system 600 and provides commands to it usingthe interface 614. Firmware or software running in the computer system600 provides a terminal interface or character-based command interfaceso that external commands can be given to the computer system.

A switching system 616 is coupled to bus 602 and has an input interface614 and an output interface 619 to one or more external networkelements. The external network elements may include a local network 622coupled to one or more hosts 624, or a global network such as Internet628 having one or more servers 630. The switching system 616 switchesinformation traffic arriving on input interface 614 to output interface619 according to pre-determined protocols and conventions that are wellknown. For example, switching system 616, in cooperation with processor604, can determine a destination of a packet of data arriving on inputinterface 614 and send it to the correct destination using outputinterface 619. The destinations may include host 624, server 630, otherend stations, or other routing and switching devices in local network622 or Internet 628.

The invention is related to the use of computer system 600 for upgradingnetwork protocol software. According to one embodiment of the invention,upgrading network protocol software is provided by computer system 600in response to processor 604 executing one or more sequences of one ormore instructions contained in main memory 606. Such instructions may beread into main memory 606 from another computer-readable medium, such asstorage device 610. Execution of the sequences of instructions containedin main memory 606 causes processor 604 to perform the process stepsdescribed herein. One or more processors in a multi-processingarrangement may also be employed to execute the sequences ofinstructions contained in main memory 606. In alternative embodiments,hard-wired circuitry may be used in place of or in combination withsoftware instructions to implement the invention. Thus, embodiments ofthe invention are not limited to any specific combination of hardwarecircuitry and software.

The term “computer-readable medium” as used herein refers to any mediumthat participates in providing instructions to processor 604 forexecution. Such a medium may take many forms, including but not limitedto, non-volatile media, volatile media, and transmission media.Non-volatile media includes, for example, optical or magnetic disks,such as storage device 610. Volatile media includes dynamic memory, suchas main memory 606. Transmission media includes coaxial cables, copperwire and fiber optics, including the wires that comprise bus 602.Transmission media can also take the form of acoustic or light waves,such as those generated during radio wave and infrared datacommunications.

Common forms of computer-readable media include, for example, a floppydisk, a flexible disk, hard disk, magnetic tape, or any other magneticmedium, a CD-ROM, any other optical medium, punch cards, paper tape, anyother physical medium with patterns of holes, a RAM, a PROM, and EPROM,a FLASH-EPROM, any other memory chip or cartridge, a carrier wave asdescribed hereinafter, or any other medium from which a computer canread.

Various forms of computer readable media may be involved in carrying oneor more sequences of one or more instructions to processor 604 forexecution. For example, the instructions may initially be carried on amagnetic disk of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 600 canreceive the data on the telephone line and use an infrared transmitterto convert the data to an infrared signal. An infrared detector coupledto bus 602 can receive the data carried in the infrared signal and placethe data on bus 602. Bus 602 carries the data to main memory 606, fromwhich processor 604 retrieves and executes the instructions. Theinstructions received by main memory 606 may optionally be stored onstorage device 610 either before or after execution by processor 604.

Communication interface 618 also provides a two-way data communicationcoupling to a network link 620 that is connected to a local network 622.For example, communication interface 618 may be an integrated servicesdigital network (ISDN) card or a modem to provide a data communicationconnection to a corresponding type of telephone line. As anotherexample, communication interface 618 may be a local area network (LAN)card to provide a data communication connection to a compatible LAN.Wireless links may also be implemented. In any such implementation,communication interface 618 sends and receives electrical,electromagnetic or optical signals that carry digital data streamsrepresenting various types of information.

Network link 620 typically provides data communication through one ormore networks to other data devices. For example, network link 620 mayprovide a connection through local network 622 to a host computer 624 orto data equipment operated by an Internet Service Provider (ISP) 626.ISP 626 in turn provides data communication services through theworldwide packet data communication network now commonly referred to asthe “Internet” 628. Local network 622 and Internet 628 both useelectrical, electromagnetic or optical signals that carry digital datastreams. The signals through the various networks and the signals onnetwork link 620 and through communication interface 618, which carrythe digital data to and from computer system 600, are exemplary forms ofcarrier waves transporting the information.

Computer system 600 can send messages and receive data, includingprogram code, through the network(s), network link 620 and communicationinterface 618. In the Internet example, a server 630 might transmit arequested code for an application program through Internet 628, ISP 626,local network 622 and communication interface 618. In accordance withthe invention, one such downloaded application provides for upgradingnetwork protocol software as described herein.

Processor 604 may execute the received code as it is received, and/orstored in storage device 610, or other non-volatile storage for laterexecution. In this manner, computer system 600 may obtain applicationcode in the form of a carrier wave.

5.0 Extensions and Alternatives

In the foregoing specification, the invention has been described withreference to specific embodiments thereof. It will, however, be evidentthat various modifications and changes may be made thereto withoutdeparting from the broader spirit and scope of the invention. Thespecification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense.

1. A method, comprising: receiving, at a network element comprising anactive transport protocol process coupled to a standby transportprotocol process, a request to configure a first transport layerconnection maintained at the active transport protocol process forstateful switchover; wherein the active transport protocol process andthe standby transport protocol process implement transmission controlprotocol (TCP); receiving a first event associated with the firsttransport layer connection wherein the first event comprises a TCP SYNsegment; only in response to determining that a request to configure thefirst transport layer connection for stateful switchover was received:performing, at the active transport protocol process, one or moresecurity checks on the TCP SYN segment; establishing completely at theactive transport protocol process the first connection without informingthe standby transport protocol process, as a result of receiving thefirst event; creating a first message containing a copy of a TCP controlblock, as a result of receiving the first event; sending, to the standbytransport protocol process at the active transport protocol process, thefirst message only if the TCP SYN segment passes the one or moresecurity checks; creating at the standby transport protocol process asecond connection that replicates the first transport layer connectionand uses the TCP control block copy, as a result of receiving the firstmessage; receiving a second event associated with the first transportlayer connection; only in response to determining that a request toconfigure the first transport layer connection for stateful switchoverwas received: creating a second message containing replicated eventinformation based on the second received event, wherein the secondmessage includes a valid header, correct length, and dummy data; sendingthe second message to the standby transport protocol process; andprocessing the second message at the standby transport protocol process,wherein the standby transport protocol process replicates stateinformation for the first connection; receiving a third event associatedwith a third transport layer connection maintained at the activetransport protocol process; and in response to determining that arequest to configure the third transport layer connection for statefulswitchover was not received, processing the third event without sendingany message to the standby transport protocol process.
 2. A method asrecited in claim 1, wherein the second message is sent from the activetransport protocol process to the standby transport protocol processusing a peer signaling layer, wherein the second message is notcommunicated to one or more logically lower protocol layers.
 3. A methodas recited in claim 1, wherein the first transport layer connection isconfigured not to perform send window checkpointing, wherein the activetransport protocol process creates and sends, to the standby transportprotocol process, a TCP segment with a valid header, correct length, anddummy data.
 4. A method as recited in claim 1, wherein the activetransport protocol process and the standby transport protocol processimplement TCP, and wherein the network element hosts active and standbyBorder Gateway Protocol (BGP) processes logically on top of therespective TCP processes.
 5. A method as recited in claim 1, furthercomprising receiving a request for state verification, testing whetherone or more state values maintained by the active transport protocolprocess for the first transport layer connection match one or morecorresponding state values that are maintained by the standby transportprotocol process for a replica of the first transport layer connection,and performing a responsive action when no match occurs.
 6. A method asrecited in claim 1 wherein, in response to a switchover, the standbytransport protocol process, processes all pending events associated withall active connections, resets all timer values associated with theconnections, and resets all option values associated with theconnections before becoming active.
 7. A network routing apparatus,comprising: an active route processor that runs an active transportprotocol process; a standby route processor that is coupled to theactive route processor in a redundant arrangement, and that runs astandby transport protocol process; a computer-readable storage devicethat is accessible to the active route processor and the standby routeprocessor, and storing one or more sequences of instructions which, whenexecuted by the route processors, cause the route processors to performthe steps of: receiving a request to configure a first transport layerconnection maintained at the active transport protocol process forstateful switchover, wherein the active transport protocol process andthe standby transport protocol process implement transmission controlprotocol (TCP); receiving a first event associated with the firsttransport layer connection wherein the first event comprises a TCP SYNsegment; only in response to determining that a request to configure thefirst transport layer connection for stateful switchover was receivedperforming, at the active transport protocol process, one or moresecurity checks on the TCP SYN segment; establishing completely at theactive transport protocol process the first connection without informingthe standby transport protocol process, as a result of receiving thefirst event; creating a first message containing a copy of a TCP controlblock, as a result of receiving the first event; sending, to the standbytransport protocol process at the active transport protocol process, thefirst message only if the TCP SYN segment passes the one or moresecurity checks; creating at the standby transport protocol process asecond connection that replicates the first transport layer connectionand uses the TCP control block copy, as a result of receiving the firstmessage; receiving a second event associated with the first transportlayer connection; only in response to determining that a request toconfigure the first transport layer connection for stateful switchoverwas received: creating a second message containing replicated eventinformation based on the second received event, wherein the secondmessage includes a valid header, correct length, and dummy data; sendingthe second message to the standby transport protocol process; andprocessing the second message at the standby transport protocol process,wherein the standby transport protocol process replicates stateinformation for the first connection; receiving a third event associatedwith a third transport layer connection maintained at the activetransport protocol process; and in response to determining that arequest to configure the third transport layer connection for statefulswitchover was not received, processing the third event without sendingany message to the standby transport protocol process.
 8. An apparatusas recited in claim 7, wherein the second message is sent from theactive transport protocol process to the standby transport protocolprocess using a peer signaling layer, wherein the second message is notcommunicated to one or more logically lower protocol layers.
 9. Anapparatus as recited in claim 7, wherein the first transport layerconnection is configured not to perform send window checkpointing,wherein the active transport protocol process creates and sends, to thestandby transport protocol process, a TCP segment with a valid header,correct length, and dummy data.
 10. An apparatus as recited in claim 7,wherein the active transport protocol process and the standby transportprotocol process implement TCP, and wherein the network element hostsactive and standby Border Gateway Protocol (BGP) processes logically ontop of the respective TCP processes.
 11. An apparatus as recited inclaim 7, further comprising receiving a request for state verification,testing whether one or more state values maintained by the activetransport protocol process for the first transport layer connectionmatch one or more corresponding state values that are maintained by thestandby transport protocol process for a replica of the first transportlayer connection, and performing a responsive action when no matchoccurs.
 12. An apparatus as recited in claim 7, wherein in response to aswitchover, the standby transport protocol process, processes allpending events associated with all active connections, resets all timervalues associated with the connections, and resets all option valuesassociated with the connections before becoming active.
 13. A networkrouting apparatus, comprising: an active route processor that runs anactive transport protocol process; a standby route processor that iscoupled to the active route processor in a redundant arrangement, andthat runs a standby transport protocol process; means for receiving arequest to configure a first transport layer connection maintained atthe active transport protocol process for stateful switchover; whereinthe active transport protocol process and the standby transport protocolprocess implement transmission control protocol (TCP); means forreceiving a first event associated with the first transport layerconnection wherein the first event comprises a TCP SYN segment; meansfor performing, at the active transport protocol process, one or moresecurity checks on the TCP SYN segment only if a request to configurethe first transport layer connection for stateful switchover wasreceived; means for establishing completely at the active transportprotocol process the first connection without informing the standbytransport protocol process, as a result of receiving the first event,only if a request to configure the first transport layer connection forstateful switchover was received; means for creating a first messagecontaining a copy of a TCP control block, as a result of receiving thefirst event, only if a request to configure the first transport layerconnection for stateful switchover was received; means for sending, tothe standby transport protocol process at the active transport protocolprocess, the first message only if the TCP SYN segment passes the one ormore security checks, and only if a request to configure the firsttransport layer connection for stateful switchover was received; meansfor creating at the standby transport protocol process a secondconnection that replicates the first transport layer connection and usesthe TCP control block copy, as a result of receiving the first message,only if a request to configure the first transport layer connection forstateful switchover was received; means for receiving a second eventassociated with the first transport layer connection; means for creatinga second message containing replicated event information based on thesecond received event, wherein the second message includes a validheader, correct length, and dummy data, only if a request to configurethe first transport layer connection for stateful switchover wasreceived; means for sending the second message to the standby transportprotocol process only if a request to configure the first transportlayer connection for stateful switchover was received; and means forprocessing the second message at the standby transport protocol process,wherein the standby transport protocol process replicates stateinformation for the first connection, only if a request to configure thefirst transport layer connection for stateful switchover was received;means for receiving a third event associated with a third transportlayer connection maintained at the active transport protocol process;and means for processing the third event without sending any message tothe standby transport protocol process if a request to configure thethird transport layer connection for stateful switchover was notreceived.
 14. An apparatus as recited in claim 13, wherein the secondmessage is sent from the active transport protocol process to thestandby transport protocol process using a peer signaling layer, whereinthe second message is not communicated to one or more logically lowerprotocol layers.
 15. An apparatus as recited in claim 13, wherein thefirst transport layer connection is configured not to perform sendwindow checkpointing, wherein the active transport protocol processincludes means for creating and sending, to the standby transportprotocol process, a TCP segment with a valid header, correct length, anddummy data.
 16. An apparatus as recited in claim 13, wherein the activetransport protocol process and the standby transport protocol processimplement TCP, and wherein the network element includes means forhosting active and standby Border Gateway Protocol (BGP) processeslogically on top of the respective TCP processes.
 17. An apparatus asrecited in claim 13, further comprising means for receiving a requestfor state verification, means for testing whether one or more statevalues maintained by the active transport protocol process for the firsttransport layer connection match one or more corresponding state valuesthat are maintained by the standby transport protocol process for areplica of the first transport layer connection, and means forperforming a responsive action when no match occurs.
 18. An apparatus asrecited in claim 13, wherein: the standby route processor includes meansfor processing all pending events associated with all activeconnections, means for resetting all timer values associated with theconnections, and means for resetting all option values associated withthe connections before becoming active; and the means for processing allpending events, the means for resetting all timer values, and the meansfor resetting all option values are responsive to a switchover.
 19. Acomputer-readable storage device storing one or more sequences ofinstructions, which instructions, when executed by one or moreprocessors, cause the one or more processors to carry out the steps of:receiving, at a network element comprising an active transport protocolprocess coupled to a standby transport protocol process, a request toconfigure a first transport layer connection maintained at the activetransport protocol process for stateful switchover; wherein the activetransport protocol process and the standby transport protocol processimplement transmission control protocol (TCP); receiving a first eventassociated with the first transport layer connection wherein the firstevent comprises a TCP SYN segment; only in response to determining thata request to configure the first transport layer connection for statefulswitchover was received: performing, at the active transport protocolprocess, one or more security checks on the TCP SYN segment;establishing completely at the active transport protocol process thefirst connection without informing the standby transport protocolprocess, as a result of receiving the first event; creating a firstmessage containing a copy of a TCP control block, as a result ofreceiving the first event; sending, to the standby transport protocolprocess at the active transport protocol process, the first message onlyif the TCP SYN segment passes the one or more security checks; creatingat the standby transport protocol process a second connection thatreplicates the first transport layer connection and uses the TCP controlblock copy, as a result of receiving the first message; receiving asecond event associated with the first transport layer connection; onlyin response to determining that a request to configure the firsttransport layer connection for stateful switchover was received:creating a second message containing replicated event information basedon the second received event, wherein the second message includes avalid header, correct length, and dummy data; sending the second messageto the standby transport protocol process; and processing the secondmessage at the standby transport protocol process, wherein the standbytransport protocol process replicates state information for the firstconnection; receiving a third event associated with a third transportlayer connection maintained at the active transport protocol process;and in response to determining that a request to configure the thirdtransport layer connection for stateful switchover was not received,processing the third event without sending any message to the standbytransport protocol process.